High-Order Masking by Using Coding Theoryand its Application to AES

Guilhem Castagnos1, Soline Renner1,2, and Gilles Zemor1

1 Institut de Mathematiques de Bordeaux UMR 5251, Universite Bordeaux 1351, cours de la Liberation, 33405 Talence cedex, France{guilhem.castagnos,gilles.zemor}@math.u-bordeaux1.fr

2 Oberthur Technologies Security Group4, allee du Doyen Georges Brus, 33600 Pessac, France

s.renner@oberthur.com

Abstract. To guarantee that some implementation of a cryptographicscheme is secure against side channel analysis, one needs to formallyprove its leakage resilience. A relatively recent trend is to apply meth-ods pertaining to the field of Multi-Party Computation: in particular thismeans applying secret sharing techniques to design masking countermea-sures. It is known besides that there is a strong connection between se-cret sharing schemes and error-correcting codes, namely every linear codegives rise to a linear secret sharing scheme. However, the schemes mostlyused in practice are the so-called Boolean masking and Shamir’s secretsharing scheme and it is widely thought that they are the most adaptedto masking techniques because they correspond to MDS codes that are insome sense optimal. We propose alternative masking techniques that relyon non-MDS linear codes: these codes are non-binary but have an un-derlying binary structure which is that of a self-orthogonal binary code.Their being non-MDS is compensated by the fact that the distributedmultiplication procedure is more efficient than with MDS codes due toan efficient encoding process and that the distributed computation ofsquares comes at almost no cost. In protecting AES against high-orderside channel analysis, this approach is more efficient than methods usingShamir’s secret sharing scheme and competitive with Boolean masking.

Keywords: High-Order Side Channel Analysis, Linear Secret SharingScheme, Self-Dual Codes.

1 Introduction

In the 90’s, Kocher et al. published the so-called Side Channel Analysis (SCAfor short) which generated a huge interest in both academic and industrial com-munities. Indeed, they noticed that side channel leakage of an embedded de-vice such as its power consumption or its electromagnetic radiation can revealinformation on any value manipulated ([Koc96,KJJ99]). When applied duringthe execution of a cryptographic algorithm, such an attack can be used forsecret key recovery. Since then, a wide variety of attacks has been proposed

including tth-order SCA which exploits leakage observations resulting from thehandling of t intermediate variables during the cryptosystem processing (seee.g., [Mes00,JPS05,PR10,FMPR10]).

One standard way to thwart this kind of attack is based on secret sharing andis called tth-order masking when each sensitive variable is split into numerousshares in a way such that t of them give no information on this variable. Theseshares must then be propagated independently throughout the algorithm to en-sure its resistance against tth-order SCA. In particular, when applying a linearsecret sharing for a masked implementation of the AES cipher, shares can be eas-ily propagated through all linear operations. However, much more work is neededto deal with the inversion in the finite field F28 involved in the AES Sbox. Whenmasking AES, this inversion is usually (see e.g., [TDG02,BMK04,OMPR05])computed using exponentiation so masking this operation comes down to mask-ing multiplications of sensitive variables. This last problem has been extensivelyaddressed in the secure Multi-Party Computation literature. For instance in[BOGW88,CCD88], the authors have introduced a secure multiplication proce-dure for the secret sharing scheme of Shamir ([Sha79]). Much later, in [ISW03],Ishai, Sahai and Wagner have proposed another procedure applied for a ba-sic secret sharing scheme, commonly used to design countermeasures, the so-called Boolean masking. These two methods have been used in the past fewyears to propose high-order masking schemes for AES ([RP10,KHL11,CPRR13]with Boolean Masking, and [GM11,PR11,CPR12] with Shamir’s secret sharingscheme).

Let us mention that, quite recently, the authors of [BFGV12] have suggestedan adaptation of the nonlinear masking technique described in [DF12] to designan implementation of AES resistant against high-order SCA. In particular, theyimproved the secure multiplication of [DF12]. However this scheme being non-linear, the implementation of linear operations becomes expensive compared tolinear schemes.

Another idea is to take advantage of the fact that every linear code gives riseto a linear secret sharing scheme as described in [Mas93] for example. In practice,MDS codes, such as the parity check code (corresponding to Boolean masking)and Reed-Solomon code (for Shamir’s secret sharing scheme) are generally usedto design countermeasures as tth-order SCA resistance is achieved with onlyt + 1 shares. Moreover, the initial Multi-Party Computation protocol proposedin [BOGW88,CCD88] for Shamir’s secret sharing scheme has been generalizedby Cramer et al. ([CDM00]) from any linear secret sharing scheme and familyof codes such as self-dual and geometric codes have been suggested to improveperformance of the distributed multiplication procedure ([CC06,CDG+08]).

Our Contribution. In this paper, we propose to take advantage of results ofcoding theory and Multi-Party Computation to design new tth-order maskingtechniques by selecting linear codes adapted to the masked operations. Moreprecisely, we suggest to use self-dual codes with a binary basis to create secretsharing schemes in which secrets and shares belong to an extension field K of

2

the binary field F2. These codes will provide low-cost square operations3 andan efficient encoding which is extensively used as a subroutine of the securemultiplication procedure. Encoding require zero multiplication over the largefield, contrary to all strategies based on Shamir’s secret sharing scheme. As aresult, our secure multiplication procedure needs O(t) multiplications whereasthe methods based on Shamir’s secret sharing scheme ([GM11,PR11]) involveO(t3) multiplications4, due to a costly encoding procedure, and the methodgiven in [RP10], using Boolean masking, has complexity O(t2) multiplications.Moreover, we propose an improvement of the multiplication procedure given in[BOGW88,CCD88,CDM00] which can also be applied for Shamir’s secret sharingscheme.

Our codes are non-MDS, so we need more than t + 1 shares to achieve tth-order SCA resistance. However, thanks to the underlying binary structure of ourcode, we show that it is possible to efficiently switch code to the same code usedfor Boolean masking during linear operations. As a result, these linear operationscan be masked as efficiently as with Boolean masking. We also propose to workwith an underlying self-dual code over F4 which provides a low-cost x 7→ x4

operation over K with less shares.Finally, in the context of an implementation of a tth-order secure AES, we

show that our masking proposal dramatically improves the method with Shamir’ssecret sharing scheme and is competitive with Boolean masking.

Paper Organization. In Section 2, we recall the connection between tth-orderSCA countermeasures and secret sharing schemes and present the approachwith Shamir’s secret sharing scheme. In Section 3, we present the construc-tion of linear secret sharing schemes derived from linear codes and the generalMulti-Party Computation multiplication procedure of [CDM00] that generalizes[BOGW88,CCD88]. Section 4 is the core of our proposal: we present a new tth-order masking technique based on self dual codes, and several implementationimprovements. In Section 5, we apply our technique to secure an AES imple-mentation present experimental results and make a comparison with previousworks. Finally Section 5 concludes the paper.

2 Secret Sharing Scheme and tth-Order Masking

An implementation of a secret key algorithm is said to be tth-order secure if anadversary gains no information about the secret key from the knowledge of tintermediate values. This ensures that the observation of the physical leakagerelated to the manipulation of these intermediate values will not help the adver-sary in performing a key recovery attack. A sound approach to reach this level of

3 We note that a similar trick have been proposed to make efficient squaring in thelong version of [PR11] but only with Reed-Solomon codes which are different to thecodes used in our proposal.

4 This can be improved to O(t2 log4 t) multiplications by using discrete Fourier trans-form cf. [CPR12].

3

security is to mask each sensitive variable s with a linear secret sharing scheme.For example, the so-called Boolean masking consists in randomly splitting s intot+1 shares s1, . . . , st+1 in a way such that s = s1 + · · ·+st+1 ([RP10,CPRR13]).The linear secret sharing scheme of Shamir has also been used in this context([GM11,PR11,CPR12]).

Some mechanisms must be developed to make this masking procedure com-patible with the operations performed in the protected algorithm, i.e., to enablethe computation on masked data. For example, for the AES cipher, linear oper-ations are compatible with linear secret sharing. Nonlinear functions involved inthe SubBytes transformation are more difficult to deal with. Usually the inver-sion involved in this transformation is computed using an exponentiation whichrequires a method to protect multiplications of sensitive variables. In the contextof the AES, some solutions have been developed in [RP10,KHL11,CPRR13] formultiplication with Boolean masking.

In this section, after some definitions on secret sharing schemes, we describethe solution, close to our proposal, given in [GM11,PR11,CPR12] still in thecontext of AES, to perform multiplications with Shamir’s secret sharing scheme.

2.1 Definitions

Let K be a field. A secret sharing scheme is a method to split a secret s ∈ Kamong a set of n shares. More precisely a secret sharing scheme is composed oftwo algorithms, encoding and decoding . The encoding of s provides an n−vectorof shares called share vector : (s1, . . . , sn) ∈ Kn. The decoding algorithm recon-structs the secret s from (s1, . . . , sn).

A secret sharing scheme has t-privacy if any set of at most t shares reveals noinformation about the secret, and r-reconstruction if r shares reveal the entiresecret. A secret sharing scheme is said to be linear if for any two secrets s and s′

shared respectively by (s1, . . . sn) and (s′1, . . . s′n), the vectors (s1+s′1, . . . , sn+s′n)

and (λs1, . . . , λsn) decode respectively to s+ s′ and λs, λ ∈ K.A tth-order secure implementation of an algorithm can be based on a linear

secret sharing scheme with t−privacy. The encoding procedure is applied toeach input variable. Share vectors are then manipulated to reflect the protectedalgorithm. Additions and scalar multiplications of secrets are performed easilyon the share vectors. In the following, we recall the linear secret sharing schemeof Shamir and the method to perform tth-order secure multiplication of secretsdescribed in [GM11,PR11,CPR12].

2.2 Shamir’s Secret Sharing Scheme

In [Sha79], Shamir has introduced a linear secret sharing scheme over a finite fieldFq based on polynomial interpolation. The encoding step consists in generatinga random secret polynomial P of degree t over Fq such that P (0) = s. Then, theshare vector of s denoted (s1, . . . , sn) is generated by evaluating si = P (xi) inn distinct non-zero points x1, . . . , xn of Fq. Let A be a subset of {1, . . . , n} suchthat |A| > t+ 1. The decoding step consists in recovering the secret polynomial

4

by interpolation and then the secret by an evaluation at 0. This is done bycomputing:

s =∑i∈A

siβi(0), (1)

where βi(X) =∏

j∈A,j 6=iX−xj

xi−xjare Lagrange polynomials. This gives a linear

secret sharing scheme with t-privacy and t+ 1-reconstruction.Linear operations on secrets can be securely executed as described in sub-

section 2.1. However nonlinear operations over Fq are more complex to dealwith. Multiplication of two secrets has been extensively studied to design se-cure multiparty computation schemes, e.g. in [BOGW88,CCD88,GRR98]. Themethod consists in multiplying the two share vectors share by share. This oper-ation corresponds to the multiplication of two degree t polynomials which givesa polynomial of degree 2t. The secret result of the multiplication can then berecovered with at least 2t + 1 shares if n > 2t + 1. A method to reduce thenumber of shares required to reconstruct the secret is needed, otherwise k suc-cessive multiplications would require to take n > kt+ 1. The solution consists inre-encoding 2t+ 1 shares and to compute the sum of the resulting share vectors.

In [GM11,PR11], this secure multiplication has been used to implement theAES cipher. Algorithm 1 recalls the solution to perform the secure multiplicationprocedure as given in [GM11]. In particular the authors have suggested to taken = t + 1 during the whole process and to generate on-the-fly the additionalshares when a multiplication step is required reducing the overall complexity oftheir AES implementation.

Algorithm 1 Secure Multiplication [GM11, Algorithm 2]Inputs: 2n− 1 distinct non-zero public elements x1, . . . , x2n−1

(s1, . . . , sn) a share vector of s and (s′1, . . . , s′n) a share vector of s′

βj(xi) pre-computed for 1 6 j 6 n and n+ 1 6 i 6 2n− 1

β∗i pre-computed for 1 6 i 6 2n− 1 with β∗i =∏2n−1

j=1,j 6=i

−xj

xi−xj

Output: (z1, . . . , zn) a share vector of ss′

1. For i = n+ 1 to 2n− 1 do

2. si ←∑n

j=1 sjβj(xi)

3. s′i ←∑n

j=1 s′jβj(xi)

4. For i = 1 to 2n− 1 do

5. wi = sis′iβ∗i

6. (wi1 , . . . , win)← encoding(wi)

7. For j = 1 to n do

8. zj ←∑2n−1

i=1 wij

9. Return (z1, . . . , zn)

Remark 1. When the field Fq has characteristic 2, the square of a secret canbe performed more efficiently than general multiplication. Let us consider thesquare (s21, . . . , s

2n) of a share vector of s and let us denote P the secret polynomial

used to share s. Relation (1) gives s2 =∑

i∈A s2iβi(0)2, so the secret s2 can be

5

recovered with only (t+ 1) shares. However each share s2i is an evaluation of P 2

at x2i instead of xi. In [GM11] the authors propose again to apply a re-encodingstep so that the shares are the evaluation of a polynomial at (x1, . . . , xn). In thelong version of [PR11] it is proposed to choose the points x1, . . . , xn such thatthe set of these points is stable with respect to the Frobenius map x 7→ x2. As aresult, a simple re-ordering of the shares is needed instead of a re-encoding step.The situation will be even simpler with our proposal since no re-ordering will beneeded.

The main cost of Algorithm 1 comes from the numerous multiplications byconstant values, namely the multiplications by β∗i and βj(xi) and the ones re-quired during the encoding steps. These steps correspond to evaluations of poly-nomials at n different points. In [CPR12], the authors propose to use the discreteFourier transform for these computations. Hence the whole secure multiplicationprocedure can be improved to a complexity of O(n2) multiplications instead ofthe naive approach in O(n3) multiplications. With our proposal, no multiplica-tion by constant values over Fq will be needed, as a result of which the securemultiplication procedure will be improved to a complexity of O(n) multiplica-tions.

3 Coding Theory Generalisation

It is well-known that a linear secret sharing scheme can be built from a linearcode as described, for example, in [Mas93,CC06,CCG+07,CDG+08]. Moreover,the problem of computing on masked data (addition and multiplication of secretvalues) for general secret sharing schemes has been addressed to design securemultiparty computation protocol (see, e.g., [CDM00]), generalizing the protocolinitially proposed in [BOGW88,CCD88] with Shamir’s scheme. In the follow-ing, we recall some basic definitions, explain the construction of a linear secretsharing scheme from a linear code and describe the algorithms to perform se-cure computation on secrets that generalize the algorithms given in the previoussection.

3.1 Basic Definitions and Results from Coding Theory

Over a finite field Fq, an [n+ 1, k+ 1, d]q linear code C is a (k+ 1)−dimensionalvector subspace of Fn+1

q with minimum Hamming distance d. The generatormatrix G of a linear code in systematic form can be written as G = [Idk+1| A ],whereA is a (k+1)×(n−k)−matrix. The elements c = (c0, . . . , cn) of C are calledcodewords and can be generated as c = (r0, . . . , rk)·G, where (r0, . . . , rk) ∈ Fk+1

q .

The dual code C⊥ of C is an [n+ 1, n− k]q linear code defined by

C⊥ ={c ∈ Fn+1

q : 〈c, c′〉 = 0 for all c′ ∈ C},

where 〈., .〉 denotes the inner product defined by 〈c, c′〉 =∑n

i=0 cic′i. When C =

C⊥ (resp. C ⊆ C⊥), C is said to be self-dual (resp. self-orthogonal).

6

From C an [n+ 1, k + 1]q linear code, the squared code denoted C is defined by

C = 〈{c ∗ c′, c, c′ ∈ C}〉 ,

where ∗ denotes the Schur product c ∗ c′ = (c0c′0, . . . , cnc

′n). Moreover we define

C2 asC2 =

⟨{c2 = c ∗ c, c ∈ C}

⟩.

For more details on linear codes, the interested reader may refer to [MS78].In the following we give two lemmas useful to select suitable codes for efficientoperations on masked data.

Lemma 1. Let C be an [n, k] linear code over Fq of characteristic 2. The fol-lowing assertions are equivalent:

1. ∀c ∈ C, c2 ∈ C,2. C has a binary basis.

Proof. Let C be a linear code over Fq of characteristic 2 having a binary basis(b1, . . . , bk) with bi ∈ Fn

2 . For all i, b2i = bi. If c is a codeword of C, then there

exists a linear combination such that c =∑k

i=1 λibi with λi ∈ Fq. We have

c2 =∑k

i=1 λ2i b

2i =

∑ki=1 λ

2i bi ∈ C.

Conversely, let C be a [n, k] linear code over Fq, such that for all code-word c ∈ C, c2 ∈ C. Let G be a generator matrix of C in systematic formand bi be the ith row of G. Let a1, . . . , an−k be elements of Fq such thatbi = (0, . . . , 0, 1, 0, . . . , 0, a1, . . . , an−k).

By definition b2i = (0, . . . , 0, 1, 0, . . . , 0, a21, . . . , a2n−k) ∈ C, so there exists a

linear combination such that b2i =∑k

i=1 λibi. From the last equality, the jth

coordinate of b2i is equal to λj for j ∈ {1, . . . , k}. By identification, we have for1 6 j 6 k and j 6= i, λj = 0, and λi = 1. Therefore b2i = bi and then a2j = aj forj ∈ {1, . . . , n− k}. Thus bi ∈ Fn

2 . ut

Lemma 2. If C is a linear self-dual code (or a linear self-orthogonal code), then

the codeword 1 = (1, . . . , 1) ∈ C⊥.

Proof. For all c, c′ ∈ C of the self-dual (or self-orthogonal) code, we have: 〈c, c′〉 =〈c ∗ c′,1〉 = 0. ut

3.2 Construction of a Linear Secret Sharing Scheme from a LinearCode

Let C be an [n+1, k+1, d]q linear code with G its generator matrix in systematicform. All codewords c = (c0, c1, . . . , cn) of C can be identified with a share vector(c1, . . . , cn) of the secret c0 = s. Hence the encoding procedure of a secret s ∈ Fq

consists in generating a codeword c = (s, r1, . . . , rk) · G, where r1, . . . , rk arerandom values of Fq. In case of ambiguity, this procedure is denoted encodingC .Assuming that there exists a codeword h = (h0, . . . , hn) of C⊥ such that h0 = 1,

7

the decoding procedure can be implemented by computing s =∑n

i=1 λici whereλi = −hi ∈ Fq. In this case, we call recombination vector of C, such a vectorλ = (λ1, . . . , λn) where the number of non-zero λi equals to d⊥ − 1.

In [CCG+07, Theorem 1], it is shown that such a linear secret sharing schemehas (d⊥−2)−privacy and (n−d+ 2)−reconstruction, where d⊥ is the minimumdistance of C⊥.

3.3 Operations on Masked Data

A linear code gives a linear secret sharing scheme, so addition and scalar mul-tiplication of secrets correspond to addition and scalar multiplication of sharevectors. Consider now the problem of multiplying two secrets shared by a generalsecret sharing scheme. In other words, from the shared vectors of two secrets onewishes to obtain a shared vector representing the product of the secrets by usingoperations on shares and without reconstructing the secrets. This problem hasbeen addressed in [CDM00]. In this work, a procedure that generalizes Algo-

rithm 1 is given, by considering any linear code C such that d⊥ ≥ d⊥ where d⊥

is the minimum distance of C. We describe this approach below.We assume that there exists a recombination vector λ of C (for example,

according to Lemma 2, we can choose λ = (1, . . . , 1) if C is self-dual or self-orthogonal). Let c, c′ ∈ C be such that c0 = s and c′0 = s′. The secret multiplica-

tion ss′ can be shared by c∗c′ ∈ C and recovered by computing ss′ =∑n

i=1 λicic′i.

Furthermore C gives a secret sharing scheme with (d⊥ − 2)−privacy and as

d⊥ ≥ d⊥, the privacy level of the secret sharing scheme associated to C is pre-served. To be able to perform further multiplications, we need a method forre-encoding the codeword c ∗ c′ ∈ C into a new codeword z ∈ C such thatz0 = ss′. As seen in the previous section, this can be done by re-encoding eachλicic

′i into a new codeword of C. Then by summing these n codewords, we ob-

tain z, a codeword of C, such that z0 = ss′. This procedure is described in thefollowing algorithms: Algorithm 3 for the secure multiplication procedure, andAlgorithm 2 for the re-encoding subroutine.

Algorithm 2 Secure Re-encoding Procedure

Inputs: C a [n+ 1, k + 1]q linear codeC′ a [n′ + 1, k′ + 1]q linear code and λ′ a recombination vector(w1, . . . , wn′) a share vector corresponding to a codeword of C′

Output: (z1, . . . , zn) a share vector of∑n′

i=1 λ′ici corresponding to a codeword of C

Function: re-encoding C′ 7→C(λ′, w1, . . . , wn′)

1. For i = 1 to n′ do

2. (wi1 , . . . , win)← encodingC(λ′iwi)

3. For j = 1 to n do

4. zj ←∑n′

i=1 wij

5. Return (z1, . . . , zn)

8

Algorithm 3 Secure Multiplication ProcedureInputs: C a [n+ 1, k + 1]q linear code(c1, . . . , cn) a share vector of s and (c′1, . . . , c

′n) a share vector of s′ corresponding to

codewords of Cλ a recombination vector of COutput: (z1, . . . , zn) a share vector of ss′ corresponding to a codeword of C

1. (w1, . . . , wn)← (c1c′1, . . . , cnc

′n)

2. (z1, . . . , zn)← re-encoding C7→C(λ, w1, . . . , wn)

3. Return (z1, . . . , zn)

These algorithms requires n multiplications of shares and numerous multipli-cations by constant values: the coordinates of λ and the elements of the matrixG for the encodings. In our proposal, all these elements will be binary, so onlyn multiplications will be needed for a secure multiplication.

Fact 1 From the properties of the secure Multi-Party Computation protocolgiven in [CDM00, Section 6], Algorithms 2 and 3 give a tth-order secure mul-tiplication, with t = d⊥ − 2 where d⊥ is the dual distance of the linear codeC.

Remark 2. Over a finite field Fq of characteristic 2, the square of a secret s can be

computed without using the squared code C and λ. Indeed, if (1, λ1, . . . , λn) ∈ C⊥,

then (1, λ21, . . . , λ2n) ∈ C2⊥ . As a result, if s is shared by (c1, . . . , cn), one can apply

Algorithm 2 to λ2, (c21, . . . , c2n), to obtain a share vector of s2 corresponding to

a codeword of C. Moreover, no re-encoding is needed if c2 ∈ C. According toLemma 1, this will be the case if and only if C has a binary basis. In this case,the secure squaring procedure only requires to compute n squares.

3.4 Application to Boolean Masking and to Shamir’s Secret SharingScheme

The well-known Boolean masking can be obtained with this framework by usingthe [n+ 1, n]q linear parity check code with generator matrix

G =

1

Idn...1

. (2)

The dual of this code is generated by the codeword (1, . . . , 1). As a con-sequence, the secret sharing scheme constructed from such a code has (n − 1)-privacy and the secret s ∈ Fq can be recovered by computing s =

∑ni=1 ci, where

(c1, . . . , cn) is a share vector of s. As said in Remark 2 this scheme allows a securesquaring procedure with a low computational cost. However for n+ 1 > 2, it iseasy to see that C⊥ = {0}. As a consequence we cannot apply Algorithm 3 to

9

perform a secure multiplication. Nevertheless other methods are proposed in theliterature to perform such an operation without using the framework of error-correcting codes (for instance the method given in [RP10] requires roughly n2

multiplications of shares).Shamir’s secret sharing scheme can be constructed from the Reed-Solomon

code of parameters [n+ 1, t+ 1]q with the generator matrix

G =

1 1 . . . 10 x1 . . . xn0 x21 . . . x

2n

...... . . .

...0 xt1 . . . x

tn

,

with for all i, j, i 6= j, xi 6= xj ∈ Fq r {0}. The recombination vector λ canbe chosen such that λi = βi(0) (i.e., Lagrange polynomials evaluated in 0).

Moreover, C is the [n+1, 2t+1]q Reed-Solomon code and if 2t+1 6 n, then we canapply Algorithm 3. This gives essentially Algorithm 1 where the only differenceis the on-the-fly computation of the missing shares. Similarly the method of[GM11] to compute secure squaring for Shamir’s scheme explained in Remark 1,corresponds to the method given in Remark 2.

4 Our Contribution

The codes generally considered for the construction of secret sharing schemesare MDS codes, such as the parity check code (for Boolean masking) and Reed-Solomon codes (for Shamir’s scheme). This is because they give perfect secretsharing schemes, namely t−privacy and t+1−reconstruction. In particular, whenused as tth-order masking, only t + 1 shares can be used to mask each inputvariable.

The efficiency of Boolean masking comes from the fact that it correspondsto a code with a binary generator matrix (2). By lemma 1, this binary basisimplies that squaring in an extension of the binary field is a low-cost operation.Moreover, encoding requires only additions and no multiplications. As mentionedin subsection 3.4, the general secure multiplication (Algorithm 3) cannot beapplied to Boolean masking, and the secure multiplication algorithm of [RP10]requiresO(t2) multiplications. For Shamir’s secret sharing scheme [PR11,GM11],secure multiplication corresponds to Algorithm 3. But the encoding subroutineneeds numerous multiplications in the finite field and secure multiplication hascomplexity O(t3) or O(t2) multiplications with FFT techniques ([CPR12]), evenif only O(t) multiplications of shares are needed. Moreover, some work has beendone to make the squaring procedure more efficient (cf. remark 1).

We propose to select a family of non-MDS linear codes over an extensionof the binary field such that Algorithm 3 is applicable like in Shamir’s scheme,and such that a binary basis is available like in Boolean masking. With thesecodes we will have all the benefits: an encoding subroutine which requires zero

10

multiplication, a low-cost square operation (like in Boolean masking), and asecure multiplication procedure which requires only O(t) multiplications and isthus more efficient than methods with MDS codes. The codes that we use havean underlying binary structure which is that of a self-dual or a self-orthogonalbinary code. We also discuss the case of codes defined with a basis in F4.

Moreover, we propose an improvement of the multiplication procedure de-scribed in Algorithm 3 which can also be applied for Shamir’s secret sharingscheme.

Finally, to compensate the additional number of shares needed by the factthat our codes are non-MDS, we show that it is possible to efficiently switch codeto the same code used for Boolean masking during linear operations, thanks tothe underlying binary structure of our codes. As a result, these linear operationscan be masked as efficiently as with Boolean masking.

Table 3 sums up the costs of our masking procedure when applying all theseimprovements.

4.1 Linear Secret Sharing Schemes based on Self-Dual Codes

In all the following we consider a base field Fq of characteristic 2. As previouslysaid, we want to select a linear code C over Fq with a binary basis. Moreover,as described in Section 3, to ensure that the multiplication procedure given byAlgorithm 3 is applicable, C⊥ must contains a particular codeword h such thath0 = 1. Lemma 2 shows that by choosing for C a self-dual or self-orthogonalcode, such a property is fulfilled.

As described in Section 3, a linear [n + 1, k + 1] code allows to construct asecret sharing scheme with n shares and t−privacy, where t = d⊥−2. For a fixedvalue t, the number of shares must be the smallest possible to reduce the totalnumber of operations of a tth-order masking. In the coding literature, self-dualand self-orthogonal binary codes are well-studied. In particular, we can give inTable 1 a list of binary codes C with minimal length and dual distance d⊥ = t+2for 1 6 t 6 6, such that for even length, the codes C are self-dual and for oddlength, self-orthogonal. The code used for our tth-order masking is not strictlyspeaking the code C but the code over Fq generated by the binary generatormatrix of C. The code constructed over Fq remains self-dual or self-orthogonal,and has the same properties (length, dimension, minimum distance and dualdistance) than the underlying binary code.

In this table, the self-dual shortened Golay code [22,11,6] is built from theextended Golay code by using codewords beginning by 00 and 11. The code C21

[21,11,5] is obtained by removing a coordinate of the shortened Golay code. Forlarger values of t, the reader is referred to the codes given in [CS90,GO03], andit is known that n will be linear in t.

Interestingly, self-dual binary codes and some generalisations have been calledupon [CGKS12,CG13] in order to improve resistance against side-channel anal-ysis, through in contexts that do not invoke secret sharing.

To construct a tth-order masking scheme, we select the [n+1, k+1] code fromthe line t of Table 1. The encoding procedure (cf. subsection 3.2) requires the

11

tBinary code C Binary Dual code C⊥ Number of additions

[n+ 1, k + 1] with d⊥ = t+ 2 required during an encoding

1 Code [7, 3] Hamming code [7, 4, 3] 5

2 Extended Hamming code [8, 4, 4] 8

3 Code [21, 10] C21 [21, 11, 5] 48

4 Shortened Golay code [22, 11, 6] 44

5 Code [23, 11] Golay code [23, 12, 7] 64

6 Extended Golay code [24, 12, 8] 72

Table 1. List of binary codes

generation of k random values over Fq and only L additions, where L is given inTable 1 and depends on the number of 1s in the generator matrix considered. Forthis encoding step, there is no multiplication by constant values of Fq unlike inShamir’s scheme. The addition and scalar multiplication of a secret are computedon each of the n shares, so n operations are needed. Squaring also consists insquaring the n shares. Secure multiplication is done with Algorithm 3. The vectorλ is defined over F2, so only n multiplications in Fq are required.

From Table 1, we note that the number of shares n of our tth-order maskingscheme is important compared to a perfect scheme such as Shamir’s. For examplefor t = 3, we need n = 20 shares and with a perfect masking only 4. To improvethe performance of our masking method, a solution is to consider an underlingself-dual or self-orthogonal code over F4 instead of F2 if F4 ⊂ Fq. Indeed, aswe can see in [GO03] such codes provide a better ratio n/t. With such a codethe generator matrix has now its coefficients in F4 = {0, 1, w, w + 1} ⊂ Fq. Asa result the encoding procedure requires some multiplications by w. However,unlike in Shamir’s scheme, here only one constant value, i.e., w is manipulatedand the products wx, x ∈ Fq can be precomputed in a table.

In Table 2, we give a list of optimal codes over F4 and indicate the number ofadditions and the number of low-cost multiplications with w required during anencoding procedure. As with Table 1, the code used in our masking scheme is aself-dual or a self-orthogonal code over Fq built from the generator matrix of thecode given in the table. With these codes, we lose the advantage of the low-costsquaring operation: the secure squaring now requires a re-encoding procedure asdescribed in Remark 2. However the complexity of raising a sensitive variable tothe power 4 is still small. Indeed by adapting Lemma 1, we can show that forany codeword c ∈ C, we have c4 ∈ C.

4.2 Improvement of Secure Multiplication

During a secure multiplication (Algorithm 3), the most expensive step is the re-

encoding process from C to C where n calls are done to the encoding procedure.In order to reduce the complexity of this algorithm, we show that this number

12

tCode C over F4 Dual code C⊥ encoding

[n+ 1, k + 1] with d⊥ = t+ 2 add mult with w

1 Extended quadratic residue code XQR(3) [4, 2, 3] 4 2

3 Code [11, 5] Quadratic residue code QR(11) [11, 6, 5] 25 5

4 Extended quadratic residue code XQR(11) [12, 6, 6] 32 6

5 Code [19, 9] Quadratic residue code QR(19) [19, 10, 7] 69 9

Table 2. List of codes over F4

of calls can be decreased. This modified algorithm will still be tth-order SCAsecure with t = d⊥ − 2.

After the multiplication of two share vectors of s and s′, we obtain a sharevector (c1c

′1, . . . , cnc

′n) of ss′ corresponding to a codeword of C. If we add the

vector (c1c′1, . . . , cnc

′n) and a random share vector of 0 in C, then we obtain a

random5 share vector in C of ss′ denoted w = (w1, . . . , wn). Furthermore, C gives

a secret sharing scheme with (d⊥−2)−privacy. Assuming that e = d⊥−d⊥ > 0,we combine (e+ 1) elements of w giving a share vector

w =

(e+1∑i=1

λiwi, we+2, . . . wn

)

associated to a linear code C∗ of length n − e. By construction, the vectorλ∗ = (1, λe+2, . . . , λn) is a recombination vector of this code if (λ1, . . . , λn) is

a recombination vector of C . The algorithm is still tth-order SCA secure if were-encode the coordinates of this share vector w instead of w. Indeed, supposethat an adversary has access to a subset of t shares of this vector w. If the firstcoordinate is not in this subset, the adversary has no information on the secretas the scheme is at least t−private. If he knows the first coordinate he has lessinformation than with w1, w2, . . . , we+1 and t−1 others shares, i.e., with d⊥−2shares, so he has again no information on the secret.

Therefore, only n− e shares can be re-encoded during the secure multiplica-tion procedure as described in Algorithm 4.

This improvement can be applied for each linear code with d⊥ > d⊥. Inparticular, the squared codes C associated to the codes given in Tables 1 and 2are the parity check codes of length n+1 and have d⊥ = n+1, so only n−e = t+1shares have to be re-encoded in Step 5. Similarly, for Shamir’s secret sharingscheme by taking n = 2k + 1, then we have that t = k, d⊥ = k + 2 and thesquared code C associated is the Reed-Solomon code of parameters [2k+2, 2k+1],

so d⊥ = 2k + 2. Therefore n− e = t+ 1.

5 If this step is omitted, the vector y = c ∗ c′ of C may not have (d⊥− 2)−privacy. Forexample, if s = s′ and the two input share vectors are equals, y ∈ C2 and as C2 = Cin our proposal, this vector has only (d⊥ − 2)−privacy.

13

Algorithm 4 Improvement of Secure MultiplicationInputs: C a [n+ 1, k + 1]q linear code(c1, . . . cn) and (c′1, . . . , c

′n) two share vectors respectively of s and s′

λ a recombination vector of C and e = d⊥ − d⊥ > 0Output: (z1, . . . , zn) a share vector of ss′

Function: SecMult((c1, . . . cn), (c′1, . . . c′n))

1. (w1, . . . , wn)← (c1c′1, . . . , cnc

′n) + encodingC(0)

2. (w1, . . . , wn)← (λ1w1, . . . , λe+1we+1, we+2, . . . , wn)

3. For i = 1 to e do

4. we+1 ← we+1 + wi

5. (z1, . . . , zn)← re-encoding C∗ 7→C((1, λe+2, . . . , λn), (we+1, . . . , wn))

6. Return (z1, . . . , zn)

4.3 Code Switching to Perform Efficient Linear Operations

To compensate the additional number of shares needed by the fact that our codesare non-MDS, we propose a solution to reduce the number of shares used duringlinear operations, still achieving a tth-order masking. Let us consider the maskingscheme using a code C built from Table 1. Thanks to the underlying binarystructure, it is possible to efficiently re-encode the share vectors of C to an MDScode C? for linear operations (additions and scalar multiplications). This simplyconsists in considering only the shares involved in the reconstruction, namelythe t+ 1 shares corresponding to the non-zero coordinates of the recombinationvector. As a result, the MDS code C? corresponds to Boolean masking. Henceall linear operations can be implemented with the same complexity as Booleanmasking. At the end of the linear operations, when a multiplication has to bedone, each share will be re-encoded to form a new share vector correspondingto a codeword of C.

This method can be adapted for a masking scheme using the codes C of Table2. At the end of the multiplication procedure, the shares of a vector of C arere-encoded into C? (instead of C) to form a share vector of length t + 1. Thiscode is used during the linear operations and then a re-encoding is applied so asto fall back on a codeword of C when another multiplication is needed.

4.4 Comparison with Other Masking Schemes

We summarize in Table 3 the cost of secure operations when we use our tth-order masking schemes derived from the codes of Table 1 (resp. from the codesof Table 2) denoted by our masking scheme F2 (resp. our masking scheme F4)using the improvements proposed in subsections 4.2 and 4.3.

In this table, rand indicates the number of random elements to generate,add and mult correspond to the numbers of additions and multiplications in thefinite field Fq. By mult with w, we indicate the number of small multiplicationswith the constant w ∈ F4 which can be performed with a look-up table. We also

14

give the cost of masked operations for Boolean masking using the multiplicationprocedure described in [RP10] and for Shamir’s secret sharing scheme usingthe multiplication procedure of [GM11,PR11]. For the multiplication procedure(denoted by Mult. of share vectors) with Shamir’s scheme, the cost of polynomialevaluations may be lowered by using the discrete Fourier transform as describedin [CPR12].

According to this table, our masking procedure is dramatically more efficientthat Shamir’s secret sharing scheme. When n behaves as a linear function of t,our solution is asymptotically the most efficient since the secure multiplicationprocedure needs a number of field multiplications linear in t while a quadraticnumber is needed for the Boolean masking scheme. In the next section, we com-pare these methods for securing AES, with concrete parameters.

Our Masking Scheme F2 Our Masking Scheme F4

Add. with a constant 1 add

Add. of share vectors t+ 1 add

Mult. with a constant t+ 1 mult

Mult. of share vectors

(n− 1) + k(t+ 1) rand (n− 1) + k(t+ 1) rand[(t+ 1)(L+ n− 1) [(t+ 1)(L+ n− 1)

+2n− 1] add +2n− 1] addn mult n mult

(t+ 1)L′ mult. with w

Square of share vectors t+ 1 squares

Boolean Masking Shamir Masking[RP10] [GM11,PR11]

Add. with a constant 1 add t+ 1 add

Add. of share vectors t+ 1 add

Mult. with a constant t+ 1 mult

Mult. of share vectors

t(t+ 1)/2 rand t(2t+ 1) rand2t(t+ 1) add t(2t2 + 2t) add(t+ 1)2 mult (2t+ 1)2 mult

2t+ 1 polynomialevaluations:

(2t+ 1)× (t2 + t)add(2t+ 1)× (t2 + t)mult with const

Square of share vectors t+ 1 squares

Remarks: n and k corresponds to the parameters of the [n+ 1, k + 1] codes given inTable 1 and 2. L and L’ refer respectively to the number of additions and low-costmultiplication with w for encoding given in Table 1 and 2.

Table 3. Complexity of masked operations against tth-order SCA

15

5 Application to AES

In this section, we apply our masking scheme to design a secure implementa-tion of AES against tth-order SCA and compare its performance with Booleanmasking [RP10] and Shamir’s secret sharing scheme [GM11,PR11].

The AES [FIP01] is a block cipher algorithm which operates on a 4×4 bytesstate. The bytes are viewed as elements of F28 = F2[x]/(x8+x4+x3+x+1). Dur-ing encryption, four transformations are involved. AddRoundKey is an additionbetween the state and the round key, SubBytes is a nonlinear transformation,ShiftRows and MixColumns are linear transformations.

In the following, we describe the implementation of our tth-order masking onall the AES transformations.

5.1 Secure Implementation of Linear AES Transformations

To secure the linear transformations (AddRoundKey, ShiftRows, MixColumns)against tth-order SCA, we propose to apply Boolean masking. More precisely,we consider the [t + 2, t + 1] parity check code C? over F28 constructed fromthe generator matrix given by (2). Each element of the state is shared into t+ 1elements of F28 with the encoding procedure described in subsection 3.2. Henceall linear AES transformations can be performed share by share as for Booleanmasking. As a result the masking of this transformation is as efficient as themethod of [RP10]. More precisely, AddRoundKey requires 16× (t+ 1) additionsin F28 and MixColumns requires 4 × 15 × (t + 1) additions and 4 × 4 × (t + 1)multiplications by the constant {0x02} which can be performed by a look-uptable.

5.2 Secure Implementation of SubBytes Transformation

The nonlinear SubBytes transformation is the composition of two functions: thenonlinear calculation of the inverse in F28 and an affine transformation overF2, denoted Af . To secure the computation of the inverse in F28 , one uses thefact that this operation can be defined as X 7→ X254. As shown in [RP10], thisexponentiation requires a lower bound of 4 multiplications and 7 squares overF28 :

X254 = [(X2X)4(X2X)]16(X2X)4X2 . (3)

At the beginning of the SubBytes Transformation, we apply the code switch-ing method of subsection 4.3. More precisely, each coordinate of the share vectorsof the short code C? are re-encoded in a code C selected from Table 1 or 2. Then,the entire secure inversion is performed in this code with formula (3).

For the codes of Table 1, the square procedure require n squares performedshare by share. Secure multiplications are done with Algorithm 4. For the codesof Table 2, the map X 7→ X4 can be computed efficiently share by share. Thesquare procedure now needs a re-encoding procedure as described in Remark2. For this reason, with these codes, we perform the first operation (i.e., the

16

computation of the share vector of X2) with the short parity check code C?

before switching code to C.Finally, we need to apply the affine transformation Af which can be decom-

posed as X 7→ A(X) + b where A is linear over F2 and b is a constant byte. Thefunction A being linear over F2 (and not F28), we propose to compute this stepby switching code to the parity check code C?. Hence as for Boolean masking(cf [RP10]), this transformation requires roughly only t + 1 times the cost of asingle A evaluation which is performed by using a look-up table.

5.3 Implementation Results and Comparisons

In order to give an idea of the global complexity of our masking scheme, wegive in Table 4 estimations of the number of cycles needed for different imple-mentations of a tth-order masking of the AES Sbox for t ∈ {1, . . . , 6}. Theseestimations are based on 8051 assembly language with a 8-bit smartcard CPU.In such an environment, generation of a random byte requires 2 cycles, an ad-dition requires 1 cycle, a secure multiplication over F28 implemented by usingso-called log/alog tables (see for instance [DR02]) requires roughly 20 cycles,and an access to a look-up table (describing the square operations, the multi-plication with w and the affine transformation) requires 3 cycles. In particularthe magnitude of complexity estimations given in Table 4 has been confirmedby a real implementation of our proposal, with the two first codes of Table 1, todesign a first and second-order secure implementation.

Scheme \ Order t 1 2 3 4 5 6

Boolean masking [RP10] 0.4 0.9 1.5 2.4 3.4 4.6Shamir [GM11,PR11] 1.3 4.8 11.6 22.7 39.3 62.3

Our masking scheme F2 0.8 1.1 3.8 4.3 5.3 6.2Our masking scheme F4 0.5 - 2.2 2.9 5.7 -

Table 4. Estimation of timing for a secure AES Sbox on an 8-bit smartcard (in thou-sands of cycles)

From Table 4, we can see that, as t grows, our approach becomes more andmore efficient than the method proposed in [GM11,PR11] using Shamir’s secretsharing scheme. Furthermore we can remark that the cost of our method isvery close to the method using Boolean masking described in [RP10]. Howevera security flaw in this method has been very recently announced in [CPRR13]where the authors proposed a new solution. For future work, it will be interestingto compare our proposal to this solution and to see if some ideas using theframework of error correcting codes introduced in our work can be adapted tothis solution to devise a more efficient masking of AES.

17

6 Conclusion

In this paper, we have presented a new high-order masking scheme and an appli-cation to the AES cipher. The masking scheme relies on secret sharing based oncarefully chosen non-MDS linear codes and is significantly more efficient thanthe methods that rely on Shamir’s secret sharing scheme. As a result, whenapplied to the secure implementation of AES, our masking scheme is a moreattractive alternative to Boolean masking than Shamir’s scheme. Moreover, thecomparison given by Table 4 shows that the efficiency of our proposal is veryclose to Boolean masking and it could open new perspectives in masking schemedesign.

References

BFGV12. Josep Balasch, Sebastian Faust, Benedikt Gierlichs, and Ingrid Ver-bauwhede. Theory and Practice of a Leakage Resilient Masking Scheme.In X. Wang and K. Sako, editors, Advances in Cryptology – ASIACRYPT2012, volume 7658 of LNCS, pages 758–775. Springer, 2012.

BMK04. J. Blomer, J. G. Merchan, and V. Krummel. Provably Secure Masking ofAES. In M. Matsui and R. Zuccherato, editors, Selected Areas in Cryptog-raphy – SAC 2004, volume 3357 of LNCS, pages 69–83. Springer, 2004.

BOGW88. M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems ForNon-Cryptographic Fault-Tolerant Distributed Computation. Symposiumon Theory of Computing, pages 1–10, 1988.

CC06. Hao Chen and Ronald Cramer. Algebraic Geometric Secret SharingSchemes and Secure Multi-Party Computations over Small Fields. InS. Dwork, editor, Advances in Cryptology – CRYPTO 2006, volume 4117of LNCS, pages 521–536. Springer, 2006.

CCD88. David Chaum, Claude Crepeau, and Ivan Damgard. Multiparty Uncon-ditionally Secure Protocols. Symposium on Theory of Computing, pages11–19, 1988.

CCG+07. Hao Chen, Ronald Cramer, Shafi Goldwasser, Robbert de Haan, and VinodVaikuntanathan. Secure Computation from Random Error CorrectingCodes. In D. Pointcheval and T. Johansson, editors, Advances in Cryptol-ogy – EUROCRYPT 2007, volume 7237 of LNCS, pages 291–310. Springer,2007.

CDG+08. Ronald Cramer, Vanesa Daza, Ignacio Gracia, Jorge Jimenez Urroz, Gre-gor Leander, Jaume Martı-Farre, and Carles Padro. On Codes, Matroids,and Secure Multiparty Computation From Linear Secret-Sharing Schemes.IEEE Transactions on Information Theory, 54(6):2644–2657, 2008.

CDM00. Ronald Cramer, Ivan Damgard, and Ueli M. Maurer. General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. In B. Pre-neel, editor, Advances in Cryptology – EUROCRYPT 2000, volume 1807of LNCS, pages 316–334. Springer, 2000.

CG13. Claude Carlet and Sylvain Guilley. Side-channel indistinguishability. InHASP ’13 Proceedings of the 2nd International Workshop on Hardwareand Architectural Support for Security and Privacy. ACM New York, 2013.

18

CGKS12. Claude Carlet, Philippe Gaborit, Jon-Lark Kim, and Patrick Sole. A NewClass of Codes for Boolean Masking of Cryptographic Computations. IEEETransactions on Information Theory, 58(9):6000–6011, 2012.

CPR12. J.-S. Coron, E. Prouff, and T. Roche. On the Use of Shamir’s SecretSharing Against Side-Channel Analysis . In Stefan Mangard, editor, SmartCard Research and Advanced Applications, 11th International Conference– CARDIS 2012, LNCS. Springer, 2012.

CPRR13. Jean-Sebastien Coron, Emmanuel Prouff, Matthieu Rivain, and ThomasRoche. Higher-Order Side Channel Security and Mask Refreshing. In FastSoftware Encryption – FSE 2013, 2013.

CS90. John H. Conway and Neil J. A. Sloane. A new upper bound on the minimaldistance of self-dual codes. IEEE Transactions on Information Theory,36(6):1319–1333, 1990.

DF12. Stefan Dziembowski and Sebastian Faust. Leakage-Resilient Circuits with-out Computational Assumptions. In R. Cramer, editor, Theory of Cryp-tography Conference – TCC 2012, volume 7194 of LNCS. Springer, 2012.

DR02. J. Daemen and V. Rijmen. The Design of Rijndael. Springer, 2002.FIP01. FIPS PUB 197. Advanced Encryption Standard. National Institute of

Standards and Technology, November 2001.FMPR10. Guillaume Fumaroli, Ange Martinelli, Emmanuel Prouff, and Matthieu Ri-

vain. Affine masking against higher-order side channel analysis. In AlexBiryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas inCryptography – SAC 2010, volume 6544 of LNCS, pages 262–280. Springer,2010.

GM11. L. Goubin and A. Martinelli. Protecting AES with Shamir’s Secret SharingScheme. In Preneel and Takagi [PT11], pages 79–94.

GO03. Philippe Gaborit and Ayoub Otmani. Experimental Constructions Of Self-Dual Codes. Finite Fields and Their Applications-Elsevier, July 2003.

GRR98. R. Gennaro, M. Rabin, and T. Rabin. Simplifed vss and fact-track multi-party computations with applications to threshold cryptography. Sympo-sium on Principles of Distributed Computing, pages 101–111, 1998.

ISW03. Yuval Ishai, Amit Sahai, and David Wagner. Private Circuits: SecuringHardware against Probing Attacks. In D. Boneh, editor, Advances in Cryp-tology – CRYPTO 2003, volume 2729 of LNCS, pages 463–481. Springer,2003.

JPS05. M. Joye, P. Paillier, and B. Schoenmakers. On Second-order DifferentialPower Analysis. In J.R. Rao and B. Sunar, editors, Cryptographic Hardwareand Embedded Systems – CHES 2005, volume 3659 of LNCS, pages 293–308. Springer, 2005.

KHL11. HeeSeok Kim, Seokhie Hong, and Jongin Lim. A Fast and Provably SecureHigher-Order Masking of AES S-Box. In Preneel and Takagi [PT11], pages95–107.

KJJ99. P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In M.J.Wiener, editor, Advances in Cryptology – CRYPTO ’99, volume 1666 ofLNCS, pages 388–397. Springer, 1999.

Koc96. P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA,DSS, and Other Systems. In N. Koblitz, editor, Advances in Cryptology –CRYPTO ’96, volume 1109 of LNCS, pages 104–113. Springer, 1996.

Mas93. J. Massey. Minimal Codewords and Secret Sharing. In Sixth Joint Swedish-Russian Workshop on Information Theory, pages 246–249, 1993.

19

Mes00. T.S. Messerges. Using Second-order Power Analysis to Attack DPA Resis-tant Software. In C.K. Koc and C. Paar, editors, Cryptographic Hardwareand Embedded Systems – CHES 2000, volume 1965 of LNCS, pages 238–251. Springer, 2000.

MS78. F.J. MacWilliams and N.J.A. Sloane. The Theory of Error-CorrectingCodes. North-holland Publishing Company, 1978.

OMPR05. Elisabeth Oswald, Stefan Mangard, Norbert Pramstaller, and Vincent Ri-jmen. A Side-Channel Analysis Resistant Description of the AES S-box.In H. Handschuh and H. Gilbert, editors, Fast Software Encryption – FSE2005, volume 3557 of LNCS, pages 413–423. Springer, 2005.

PR10. Emmanuel Prouff and Thomas Roche. Attack on a Higher-Order Maskingof the AES Based on Homographic Functions. In Guang Gong and Kis-han Chand Gupta, editors, Progress in Cryptology – INDOCRYPT 2010,volume 6498 of LNCS, pages 262–281. Springer, 2010.

PR11. Emmanuel Prouff and Thomas Roche. Higher-Order Glitches Free Imple-mentation of the AES Using Secure Multi-party Computation Protocols.In Preneel and Takagi [PT11], pages 63–78.

PT11. Bart Preneel and Tsuyoshi Takagi, editors. Cryptographic Hardware andEmbedded Systems – CHES 2011, volume 6917 of LNCS. Springer, 2011.

RP10. M. Rivain and E. Prouff. Provably Secure Higher-order Masking of AES.In Stefan Mangard and Francois-Xavier Standaert, editors, CryptographicHardware and Embedded Systems – CHES 2010, volume 6225 of LNCS,pages 413–427. Springer, 2010.

Sha79. Adi Shamir. How to Share a Secret. Communications of the ACM,22(11):612–613, November 1979.

TDG02. Elena Trichina, D. DeSeta, and L. Germani. Simplified Adaptive Mul-tiplicative Masking for AES. In B.S. Kaliski Jr., C.K. Koc, and C. Paar,editors, Cryptographic Hardware and Embedded Systems – CHES 2002, vol-ume 2523 of LNCS, pages 187–197. Springer, 2002.

20